Asked by:

How to make a web client app use TLS 1.2

Question

We have several systems here that make calls to external systems using REST.

Currently these systems support TLS 1.0 but in the near future they will not support anything less than TLS 1.2.

An example is Github and yesterday they did a test and restricted their REST API to accept only TLS 1.2 connections. I got failures using a tool Smartgit (on my Windows 10 desktop) and also with a utility that uses Octokit.Net to talk to Github.

This is explained more in this post:

https://github.com/octokit/octokit.net/issues/1756

As I say we have other service providers that are also doing a similar thing and one of these is providing NO test option !

We must get our systems to support TLS 1.2 before March 1 for example.

But I have no idea what we are to do, must we do something to a machine's registry? or is that only for inbound connection on Server 2008?

What version of the framework is installed on the machine that is running your code? Starting with .NET 4.7, .NET will use the OS
default
which will be TLS 1.x on newer OS versions. Simply upgrading the runtime on the target machine and ensuring that the appropriate TLS entries are enabled will resolve the issue.

For versions prior to 4.7 you have to update the software to use a newer version of the framework that supports TLS 1.x. Then you can use the ServicePointManager trick. Note that if you're calling WCF stuff then there is extra work involved.

If you don't want to update your software yet, you're running CLR v4 and you cannot update the runtime on the target machine then the last option is a registry entry that forces the framework to use strong encryption anyway. There are many articles about
it but here's one I found
quickly.

On our servers we used the registry trick on our older servers (that supported TLS 1.x) and updated the framework on our current servers. Beware however that forcing all apps to use TLS 1.x may break calls to external resources that have not turned it on
yet (hopefully there aren't any).

Also be aware that TLS 1.x has to actually be turned on for the target machine. IISCrypto is a useful tool for looking at this. It should be on for all newer OSes but some older one's (Server 2008 R2, for example) you have to opt in. Opting in requires a
reboot so plan accordingly.